apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-configmap
data:
  default: |
    user nginx;
    worker_processes  3;
    events {
      worker_connections  5120;
    }
    http {
      # Ensure buffer is large enough to contend with a redirect to a URL that is at the request line length limit
      proxy_buffers   4 16k;
      proxy_buffer_size 16k;

      server {
          listen       80;
          server_name  _;
          location /nginx_health {
            access_log off;
            return 200 "healthy\n";
          }
      }

      map $http_x_edge_proto $scheme_from_fastly {
        "" $scheme;
        default $http_x_edge_proto;
      }

      limit_req_status 429;
      limit_req_zone  $binary_remote_addr  zone=ui:10m  rate=300r/m;
      limit_req_zone  $binary_remote_addr  zone=abusers:10m  rate=30r/s;
      limit_req_zone  $binary_remote_addr  zone=dependencyapi:10m  rate=100r/s;
      limit_req_zone  $binary_remote_addr  zone=minutely:10m  rate=100r/m;

      proxy_cache_path  /var/lib/nginx/cache  levels=1:2 keys_zone=cache-versions:10m inactive=24h  max_size=100m;

      include /etc/nginx/conf.d/logging.conf;
      include /etc/nginx/sites-enabled/*;
    }
  rubygems: |
    server {
        listen       8080;
        server_name _;

        real_ip_recursive on;

        # Fastly (https://api.fastly.com/public-ip-list)
        set_real_ip_from '23.235.32.0/20';
        set_real_ip_from '43.249.72.0/22';
        set_real_ip_from '103.244.50.0/24';
        set_real_ip_from '103.245.222.0/23';
        set_real_ip_from '103.245.224.0/24';
        set_real_ip_from '104.156.80.0/20';
        set_real_ip_from '140.248.64.0/18';
        set_real_ip_from '140.248.128.0/17';
        set_real_ip_from '146.75.0.0/17';
        set_real_ip_from '151.101.0.0/16';
        set_real_ip_from '157.52.64.0/18';
        set_real_ip_from '167.82.0.0/17';
        set_real_ip_from '167.82.128.0/20';
        set_real_ip_from '167.82.160.0/20';
        set_real_ip_from '167.82.224.0/20';
        set_real_ip_from '172.111.64.0/18';
        set_real_ip_from '185.31.16.0/22';
        set_real_ip_from '199.27.72.0/21';
        set_real_ip_from '199.232.0.0/16';

        set_real_ip_from '2a04:4e40::/32';
        set_real_ip_from '2a04:4e42::/32';

        # AWS
        set_real_ip_from '172.30.0.0/16';

        real_ip_header X-Forwarded-For;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme_from_fastly;
        proxy_set_header Forwarded "";
        proxy_set_header X-Forwarded-Host "";
        proxy_set_header Client-IP "";
        proxy_set_header Host $host;
        proxy_set_header X-Request-Start "t=${msec}";
        proxy_redirect off;

        client_max_body_size 500M;

        # Stop unsupported methods from getting to Puma,
        # respond with a 405.
        # (Puma responds with a 501 to unknown methods, which leads to us getting paged
        # for what are essentially bad requests, not server errors)
        # Can't use limit_except here because it doesn't work in server context,
        # only location context, and we want this to apply to all locations.
        if ( $request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS|PATCH)$ ) {
          return 405;
        }

        location /api/v1/dependencies {
          limit_req zone=dependencyapi burst=10 nodelay;
          proxy_pass http://127.0.0.1:3000;
          proxy_buffer_size          128k;
          proxy_buffers              4 256k;
          proxy_busy_buffers_size    256k;
        }

        location /versions {
          limit_req zone=minutely burst=10 nodelay;
          proxy_pass http://127.0.0.1:3000/versions;
        }

        location /api/v1/search {
          limit_req zone=minutely  burst=10 nodelay;
          proxy_pass http://127.0.0.1:3000;
        }

        location /search {
          limit_req zone=minutely  burst=10 nodelay;
          proxy_pass http://127.0.0.1:3000;
        }

        location /api {
          limit_req zone=abusers  burst=10 nodelay;
          proxy_pass http://127.0.0.1:3000;
        }

        location /info {
          proxy_pass http://127.0.0.1:3000;
        }

         <% if environment == 'staging' %>
        location /internal {
          limit_req zone=abusers burst=10;
          proxy_pass http://127.0.0.1:3000;
        }

        location / {
          auth_basic           "Restricted Access!";
          auth_basic_user_file /etc/nginxbasicauth/.htpasswd;
          limit_req zone=abusers burst=10;
          proxy_pass http://127.0.0.1:3000;
        }
        <% else %>
        location / {
          limit_req zone=ui burst=5;
          proxy_pass http://127.0.0.1:3000;
        }
        <% end %>


    }
  logging: |
    log_format json escape=json '{'
      '"host": "${HOSTNAME}", '
      '"@timestamp": "$time_iso8601", '
      '"service": "rubygems.org", '
      '"env": "<%= environment %>", '
      '"processing_time_milliseconds": "$request_time", '
      '"forwarded_for": "$http_x_forwarded_for", '
      '"upstream_x_runtime": "$upstream_http_x_runtime", '
      '"upstream_processing_time": "$upstream_response_time", '
      '"upstream": "$upstream_addr", '
      '"http": {'
        '"status_code": $status, '
        '"scheme": "$scheme_from_fastly", '
        '"url": "$scheme_from_fastly://$http_host$request_uri", '
        '"args": "$args", '
        '"dest_host": "$http_host", '
        '"content_type": "$sent_http_content_type", '
        '"location": "$sent_http_location", '
        '"protocol": "$server_protocol", '
        '"referer": "$http_referer", '
        '"useragent": "$http_user_agent", '
        '"method": "$request_method", '
        '"request": "$request", '
        '"request_id": "$upstream_http_x_request_id", '
        '"ssl_protocol": "$ssl_protocol", '
        '"ssl_cipher": "$ssl_cipher"'
      '},'
      '"network": {'
        '"client": {"ip": "$remote_addr"}, '
        '"bytes_written": $bytes_sent, '
        '"body_bytes_written": $body_bytes_sent'
      '}'
    '}';
    access_log  /dev/stdout json;
    error_log	/dev/stdout;
